recaptcha-net icon indicating copy to clipboard operation
recaptcha-net copied to clipboard

Published 20 hours ago verified publisher icon tanveery

Request.Params fires input validation

Open rickparrish opened this issue 5 years ago • 0 comments

I have a contact form that uses [AllowHtml] on the Body property to allow users to submit HTML code to me, which was working fine, but after installing recaptcha-net the old "A potentially dangerous Request.Form value was detected from the client" exceptions came back

It looks like this is bot-related activity that isn't passing the recaptcha validation parameters, which leads to a code path that makes use of Request.Params, which unconditionally validates input (ie [AllowHtml] and ValidateInput(false) are not taken into account)

To fix this problem I've switched from Request.Params to Request.Unvalidated, and now the exceptions have stopped again.

So what are your thoughts on switching to Request.Unvalidated in the main codebase? Unfortunately Request.Unvalidated is not available in 4.0, which wasn't a problem in my case because I wanted to build 4.5.1 DLLs anyway, but the main codebase would need to work around that somehow (e.g. maybe use an #if NET40 to keep the old Request.Params behaviour for 4.0)

Thanks, Rick

rickparrish avatar Sep 04 '19 13:09 rickparrish